Healthcare Providers and Social Networking: New Threat to ...media.straffordpub.com/products/healthcare... · 10/22/2009 · These risks, if realized, can evidence HIPAA security

CLICK ON EACH FILE IN THE LEFT HAND COLUMN TO SEE INDIVIDUAL PRESENTATIONS.

If no column is present: click Bookmarks or Pages on the left side of the window.

If no icons are present: Click View, select Navigational Panels, and chose either Bookmarks or Pages.

If you need assistance or to register for the audio portion, please call Strafford customer service at 800-926-7926 ext. 10

Healthcare Providers and Social Networking: New Threat to Patient Privacy

Minimizing Liability for Unwitting Physician and Staff Breachespresents

Today's panel features:Timothy P. Tobin, Hogan & Hartson, Washington, D.C.

Jo-Ellyn Sakowitz Klein, Counsel, Akin Gump Strauss Hauer & Feld, Washington, D.C.Chris Apgar, Certified Information Systems Security Professional, Apgar & Associates, Portland, Ore.

Thursday, October 22, 2009

The conference begins at:1 pm Eastern12 pm Central

11 am Mountain10 am Pacific

The audio portion of this conference will be accessible by telephone only. Please refer to the dial in instructions emailed to registrants to access the audio portion of the conference.

A Live 90-Minute Teleconference/Webinar with Interactive Q&A

1© 2008 Hogan & Hartson LLP. All rights reserved.

Social Networking: Uses and Trends

Timothy P. TobinAttorney

Hogan & Hartson, LLP202-637-6833

[email protected]

October 22, 2009


There are Many Kinds of Social Media


Social Networking: Uses and TrendsSocial Media Generally: Three Important Factors: (1) The “Oops” Factor; (2) Anonymity is not Assured; (3) Consumers Can Respond Quickly

– Blogging:

• Whole Foods CEO investigated for anonymous blog comments that reportedly cheered financial results, trumpeted his gains on stock and bashed a competitor

• Model anonymously referred to as “skank” and “ho” uncovers identity of blogger (blogger is now suing Google)

– Social Networks: Continental Airlines was required to remedy sexual harassment of an employee on a third party work related online bulletin board

– YouTube Video Uploads: Domino’s Pizza employee video of employees doing disgusting things

– Twitter: Battle Creek, Michigan mayor accidentally posted a link to sensitive city employee personal information, which included some Social Security numbers

– Consumer Reaction: Motrin Moms Controversy (massive online reaction to babywearing ad)



Social Media in the Medical World

• Clearly a role for social media as part of corporate marketing or public relations campaigns

– Kaiser Permanente: Dr. Maring’s Farmers’ Market and Recipe Update http://recipe.kaiser-permanente.org/

– Mayo Clinic YouTube Channel http://www.youtube.com/user/mayoclinic (and twitter page, facebook page, blog and podcasts)

– Wellpoint reviews and responds to critical tweets from insureds and physicians

– Physicians are increasingly using twitter as an extension of web presence, a patient communication tool, a marketing tool, and to keep in touch with colleagues

• Companies and physicians must be aware of risks: phishing, third party feeds and malware



Social Media and Employees

• Employee-oriented social media has potential to promote employee engagement

– Many companies are focused only on the risks of social media

– Instead of mass e-mails or posts to an intranet, social media tools help employees participate in the creation and sharing of information

• Monitoring employee online conduct – Aug. 2009 Survey by the Health Care Compliance Association & the Society

of Corporate Compliance and Ethics found 50% of surveyed organizations do not have a policy for employee online conduct outside of work.

– Active monitoring occurs only in 23% of organizations; 32% have passive monitoring and react when they become apprised of an issue; 24% have disciplined employees for activities on Facebook, Twitter or LinkedIn.

• Social Media Use Continues to Pose Risks for Job Seekers– 60% of medical schools surveyed reported incidents of students posting

unprofessional and potentially embarrassing content online


Social Networking: Increasing Regulatory Scrutiny Over Business Uses

• FTC: Revised Guides Concerning the Use of Endorsements and Testimonials in Advertisements: Effective December 1, 2009

– Clarifies that Guides apply to new media such as blogs and social networking sites containing user generated content

– Endorsers must disclose material connections with advertisers (advertisers must enforce) when consumers’ knowledge of the connection would affect the weight or credibility of the endorsement

– Endorsement: turns on (1) whether content is “sponsored” and (2) whether consumers believe the statement represents the endorser’s own view

• sponsorship is based on various factors including whether the speaker is compensated by an advertiser or its agent and

• whether the product or service in question was provided for free by the advertiser

• lack of control over the specific statement made does not automatically disqualify a statement from being deemed an “endorsement.”



• FTC: Revised Guides Concerning the Use of Endorsements and Testimonials in Advertisements: Effective December 1, 2009 (Cont’d)

– Clarifies there is potential liability for both an Endorser and an Advertiser for (a) unsubstantiated representations or (b) failing to disclose a material connection

– Removes the prior safe harbor from liability for “results not typical” disclaimers in testimonials – must disclose generally expected performance with substantiation for that performance

– Expert endorsements (e.g., by doctors) must be based on materials that others with the same level of expertise would consider adequate to support the claims

– When an advertisement relies on a clinical trial study that was sponsored by the advertiser, the advertisement should clearly disclose this information



• FDA: Holding a Public Hearing November 12 and 13, 2009 to discuss issues relating to the use of the Internet and social media tools to promote FDA regulated prescription drugs, biologics and medical devices

• Seeking Comments on Five Issues:

– Over what communications should manufacturers, packers and distributors of drugs and devices be held accountable, i.e., howmuch control can be exercised over user-generated content?

– Given space limitations of some social media tools, how can companies meet regulatory requirements such as fair balance and disclosure of indication and risk information?

– What should the parameters be for posting corrective informationon third party websites?

– When is the use of links to third party sites appropriate especially given third party sites might discuss unapproved uses?

– Various questions relating to how social media impacts adverse event reporting upon learning of adverse consumer experiences with drugs or devices?



How does Sidwiki affect FDA regulation and other practices?– Off Label Promotion of a Product?

– Adverse Event Reporting?


Social Networking: Uses and Trends• Other Specific Legal Issues

– Anonymous product reviews (or at least sponsorship not revealed)

– Defamation

– Invasion of privacy

– Employment law issues

• Discrimination

• Harassment

• Union activity

• Fair Credit Reporting Act

– Securities disclosure

– Antitrust (sharing price information with competitors)

– Unauthorized practice or malpractice

– Section 230(c) of the Communications Act provides substantial immunity for unaffiliated third party posts


Abu DhabiBaltimoreBeijingBerlinBoulderBrusselsCaracasColorado SpringsDenverGenevaHong KongHoustonLondonLos AngelesMiamiMoscowMunichNew YorkNorthern VirginiaParisPhiladelphiaSan FranciscoShanghaiSilicon ValleyTokyoWarsawWashington, DC

www.hhlaw.comFor more information on

Hogan & Hartson, please visit us at

©2009 Akin Gump Strauss Hauer & Feld LLP. All Rights Reserved.

Social Networking and Healthcare Providers: Understanding the Risks

October 22, 2009

Presented byJo-Ellyn Sakowitz Klein

(202) [email protected]

1

Balancing Benefits against Risks

Health care providers are harnessing the power of social media in many exciting and innovative ways to improve patient care and create new efficiencies

Providers must be careful to assess fully the use of social networking tools, and to balance benefits against risks, as appropriate

2

Main Areas of Concern

HIPAA Compliance Privacy Concerns Security Concerns

Patient Privacy and Dignity Concerns as an Employer Control over Content Patient and Physician Blog Postings

3

Risks Realized…

Posting Pictures: University of New Mexico Hospital Employees

MySpace Posting of Medical Information: Minnesota Medical Clinic

Facebook Group: Christopher Cornstalk

4

HIPAA Privacy Concerns

The HIPAA privacy regulations apply to protected health information (“PHI”), which generally includes any information, whether oral or written, that is:

Created or received by a health care provider, health plan, employer, or health care clearing house;

Relates to the past, present, or future physical or mental health or condition of an individual, the provision of care to an individual, or the past present or future payment for the provision of health care to an individual; and

Identifies the individual (or could reasonably be expected to beused to identify the individual)

5

HIPAA Privacy Concerns

Core concept of the HIPAA privacy rule: Do not use or disclose PHI without authorization, unless you are expressly permitted or required to do so

Examples of permitted uses and disclosures: treatment, payment, and healthcare operations (“TPO”)

Examples of required uses and disclosures: required by law, pursuant to a court order

Social media have opened the door to a new range of potential HIPAA privacy violations

Unauthorized and impermissible uses Unauthorized and impermissible disclosures

6

HIPAA: Covered Entities

Physician and Staff Disclosure Covered under the HIPAA privacy rule

Medical Student Disclosure Covered under the HIPAA privacy rule

PHR Vendors and Related Entities Not covered under the HIPAA privacy rule The American Recovery Reinvestment Act of 2009 (“ARRA”) requires the

Secretary of HHS, in consultation with the FTC, to report to Congress on privacy and security requirements for entities, including PHR vendors and PHR related entities, that are presently neither covered entities nor business associates

Health 2.0 Patients sharing information online through discussion groups, chat rooms,

and other virtual communities Generally not covered under the HIPAA privacy rule

7

“But I removed all of the identifiers…”

Where certain data elements are removed from PHI, the information may be afforded varying degrees of protection

De-identified Data Limited Data Set Merely removing names and addresses from data sets will not

suffice This is a bit of a moving target

ARRA requires the Secretary of HHS to issue additional guidance on how to best implement de-identification requirements

In light of new uses for the limited data set concept in ARRA, we may see adjustments in this concept as well

8

HIPAA Security Concerns Core goals of the HIPAA security rule Ensure the confidentiality, integrity, and availability of

electronic PHI (“ePHI”) created, received, maintained, or transmitted by covered entities

Protect against reasonably anticipated threats and hazards to the security or integrity of ePHI

Protect against reasonably anticipated HIPAA privacy rule violations

Basic foundation for compliance Assessment and management of risk Reasonable and appropriate policies and procedures

HIPAA standards and implementation specifications Addressable (A) versus Required (R) Not a one-size-fits-all approach

9

HIPAA Security Concerns The HIPAA security rule requires entities to

develop and implement administrative, physical, and technical safeguards to protect ePHI Key Administrative Safeguards

Risk Analysis Risk Management Sanction Policy Security Awareness and Training

Key Physical Safeguards Workstation Use Device and Media Controls

Key Technical Safeguards Encryption Audit Controls

10

HIPAA Security Concerns Data gathered, stored, and transmitted via social media may

not be appropriately safeguarded Risks include:

Intercepted messaging Unintentional disclosure Identity/medical identity theft Compromised data integrity

These risks, if realized, can evidence HIPAA security rule violations

Use HIPAA security rule compliance efforts as a springboard for assessing (and addressing) risks relating to use of social media

Think beyond the emails and texts physicians and staff may be sending For example, consider patient and visitor – as well as physician – use of

cell phone cameras and webcams

11

HIPAA Reforms

Changes to the HIPAA regime made under ARRA dramatically enhance risks relating to privacy and security violations: Increased penalties New enforcement mechanisms Audits Breach notification

12

Patient Privacy and Dignity: Legal Challenges

Breach of Confidential Relationship Infliction of Emotional Distress Invasion of Privacy Defamation Potential Vicarious Liability for Torts Committed

by Employees

13

Concerns as an Employer

Potential Value to Employers Promoting services and special programs Enhanced recruiting potential Increased interaction between physicians and patients

Potential Problems for Employers Harassment among employees

Employers are not required to monitor comments made on electronic bulletin boards, but do have a duty to stop harassment in settings related to the work place if they know or have reason to know of the harassment (see, e.g., Blakely v. Cont’l Airlines, Inc., 751 A.2d 538 (N.J. 2000))

Retaliation from former employees Employers may have defamation claims against former employees for blog

postings (see, e.g., Varian Med. Sys. Inc., v. Delfino, 6 Cal. Rptr. 3d 325(Cal. Ct. App. 2003), rev’d on other grounds, 106 P.3d 958 (Cal. 2005))

14

Control over Content: Key Problems Physician Facebook Pages Unprofessional behavior affects patients’ perceptions Lack of physician awareness over the problem

Inability to Track and Monitor Communications Providers may be unaware of comments made by employees Many new technologies (e.g., Twitter, Instant Messaging)

leave little or no paper trail

Reacting to Negative Posts Negative comments can change a blog’s original purpose How can providers respond to negative comments without

revealing confidential information?

15

Employer Control over Content

15 percent of employers have blogging policies

12 percent of employers monitor social network sites to see what is written about them

Electronic Communications Privacy Act of 2000 Permits monitoring of electronic communications if there is a

legitimate business purpose

16

Limitations on Control over Content

Free Speech Concerns Are social networking sites protected speech?

Connecticut court did not protect MySpace page under First Amendment principles when school board asked a high school teacher to take down his personal page (Spanierman v. Hughes, 2008 U.S. Dist. LEXIS 69569 (D. Conn. Sept. 16, 2008))

Student comments on MySpace page do not constitute criminal harassment because comments were protected speech under the state’s constitution (A.B. v. State, 863 N.E. 2d 1212 (Ind. Ct. App. April 9, 2007), rev’d on other grounds 885 N.E. 2d 1223 (Ind. 2008))

State Laws Several states have adopted “lifestyle” statutes

prohibiting discrimination of lawful, off-duty conduct

17

Physician Blog Postings

Potential Benefits Excepted from HIPAA use and disclosure restrictions if limited

to physician-physician communication concerning treatment Potential benefits of sharing information, discussion groups Potential tool to recruit employees

Potential Problems How can you ensure discussions are limited to physicians? Should patients know that information will be discussed with

other physicians? How secure is the information?

18

Patient Web Blogs Potential Benefits Greater communication between doctors and patients Easy to respond to patient comments Patient support groups

Potential Concerns Patient disclosure of PHI does not violate HIPAA, but will

patients appreciate potential privacy concerns? How to ensure accurate information? Can providers adequately diagnose or respond to questions

without seeing or directly speaking with patients?

19

Next Steps

Consider all risks relating to use of social media: Legal risks Public relations risks Business risks Patient care risks

As you undertake activities necessary to update policies and procedures to address the new HHS breach notification regulations, comply with the FTC Red Flags Rule, and respond to the expected omnibus ARRA privacy regulations, carefully evaluate and consider approaches to addressing risks relating to use of social media

October 22, 2009

Chris Apgar, CISSPPresident, Apgar & Associates, LLC

1Apgar & Associates, LLC (c) 10/2009

Addressing Top Risks What Individuals May do With Their PHI Reasonable Steps to Protect Against Privacy &

Security Breaches Summary and Discussion


The Center for Medicare and Medicaid Services (CMS) recently announced as part of their security audit process that all PHI sent over the Internet must be encrypted

Most social networking or quick communication tools do not meet this requirement

Social networking should be prohibited or limited (such as text messaging), even if used for business purposes


All data or messages sent via Web mail while at work becomes personal property and the organization has no way to audit or access what is sent

Provider organizations should block all use of web based email

Easier to block access than to implement policy and hope workforce complies with policy

Unless purchase a web tracking tool, such policies are difficult to enforce


Text messaging is commonly used in many organizations and is seen as a tool to improve communication and share needed information quickly

Text messaging is usually not encrypted unless sent between two workforce members using, say, an organization’s mobile carrier who can provide a secure environment for calls and texting


Provider organizations, where feasible, should only allow the use of company owned and configured smart phones to limit risk associated with non-secure communication

Even if using an organization designated secure mobile carrier and organization owned smart or mobile phones, text messages are often sent to others with different carriers meaning the text is no longer secure

Prohibiting text messaging is advisable but not always feasible or enforceable


Twitter, like text messaging represents an unsecure form of instant communication

It may be popular but even short messages including PHI can be intercepted

Organizations generally cannot monitor what is sent or received via Twitter therefore access should be blocked

Twitter can lead to increased exposure and breach of PHI and generally it is not intentional


Facebook and MySpace users are no longer primarily high school, college age and young adults

Especially Facebook is more and more becoming a significant international social networking tool for adults over the age of 50

Facebook, MySpace and other social networking sites should be blocked by provider organizations

Again, easier to block than implement a policy and hope for compliance


Even mobile to mobile calls represent a potential risk if not handled appropriately

Policies and procedures should be implemented and enforced requiring all workforce members not discuss PHI via mobile phone in public areas – even communication with the patient

This is associated with a strong remote access policy governing all PHI use and disclosure away from the office


Mobile wireless or wireless hot spot use can also result in inappropriate disclosure of PHI

Wireless connections to a provider’s network should require encryption and connections through a virtual private network (VPN)

Logging in to the organization’s network should only occur remotely if from a secure location such as a hotel room versus from an area open to the public to avoid social engineering (often called “shoulder surfing”)


Facebook and MySpace have been used to post personal health information about individuals with Facebook and MySpace accounts (often posted by the individual who the information relates to)

If an individual is provided an electronic copy of his or her medical or claims record and the individual posts information from the record on Facebook or MySpace, that lies outside the area of covered entity and business associate responsibility


As with financial transactions, consumers are moving more towards convenience versus strict privacy controls (this does not mean privacy concerns will quickly go away)

This means consumers are more willing to:◦ Text their doctor and include PHI◦ Send unencrypted e-mail messages to their

provider or health plan◦ Review their medical or claims information from an

Internet café◦ Post health information on the Web


Covered entities cannot force consumers to use secure methods of communication but covered entities must not use non-secure methods when responding to patients or health plan members

Covered entities cannot ask an individual to sign a waiver accepting the risk of sending unencrypted PHI over the Internet

This relates to the Privacy Rule prohibition against requiring individuals waive any of their privacy rights


Documentation and formal policies are a must

Also, training on and enforcement of those policies are required

A risk analysis should be conducted at least annually or when any major business or systems changes occur and this should include evaluating the use of text messaging, Twitter, remote access, etc.


Search for a mobile provider who offers an encrypted mobile network (keeping in mind this will not protect PHI sent to smart and mobile phones outside that carrier’s secure network)

Monitor Internet use and sites visited where PHI could be disclosed and block as necessary


If text messaging is allowed for business purposes, documenting the risk was evaluated and accepted is required

Require the use of encrypted transmission for all forms of electronic PHI (email, FTP, etc.)

Encrypt laptop hard drives (company owned) and require encryption of hard drives or folders used to store PHI if personal portable device use for business purposes is allowed


Access may be through an encrypted web site but that doesn’t necessarily prevent laptop hijacking or external access to the remote device

If the risk is considered acceptable, document Reasonably ensure anti-malware software is

kept up to date and regularly run This can be set up as part of the

configuration of company owned devices but may be difficult to enforce if personal devices are used


Implement and require the use of a virtual private network (VPN) if feasible for all remote access

Implement appropriate controls related to portable media

Encrypt portable media where feasible


Use of GoToMeeting and WebEx should not be used when PHI will be disclosed such as with internal staff training that requires the use of PHI for training purposes or for consultation purposes

If GoToMeeting, WebEx or a related on-line meeting tool is used and PHI is exchanged, upgrade (at a cost) to encrypted meeting sessions


Apgar Logo.jpg

20

Chris Apgar, CISSPPresident

This document is distributed for informational use only; it does not constitute legal advice and should not be used as such. © 2009 Akin Gump Strauss Hauer & Feld LLP

HEALTH INDUSTRY ALERT

FTC SET TO BEGIN ENFORCING IDENTITY THEFT PREVENTION REGULATIONS ON AUGUST 1, 2009

Entities subject to the Federal Trade Commission’s (FTC) Red Flags Rule promulgated under the Fair and Accurate Credit Transactions (FACT) Act of 2003—including many health care providers—must develop and implement written policies to detect, prevent and mitigate identity theft by August 1, 2009. The FTC issued final Red Flags regulations in conjunction with other agencies in November 2007, but delayed implementation several times. The current deadline comes at a time of increased FTC activity in the privacy and security sphere. Notably, the FTC recently issued proposed regulations concerning breach notification requirements applicable to personal health records and, also, settled charges against retail pharmacy chain CVS Caremark for allegedly failing to take reasonable and appropriate security measures to protect sensitive customer and employee financial and medical information.

A successful Identity Theft Prevention Program developed in response to the FTC Red Flags Rule will build on existing efforts to combat fraud and protect patients. Covered health care providers can build on existing practices and pathways to create a Red Flags Program. For many entities, efforts undertaken to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations may serve as a good springboard for Red Flags Rule compliance activities.

RED FLAGS RULE APPLIES TO MANY HEALTH CARE PROVIDERS

Notwithstanding the efforts of the American Medical Association to sway the agency, the FTC has clearly indicated that the Red Flags Rule applies in the health care setting. The Red Flags Rule applies to all “creditors” who offer or maintain

July 1, 2009


2

one or more “covered accounts.” Relevant law defines “creditor” as any entity that regularly defers payments for goods or services, or arranges for the extension of credit. The FTC considers health care providers who bill patients after rendering medical care or who balance-bill patients for medical fees not covered by insurance to be creditors covered by the Red Flags Rule. “Covered accounts” include accounts on which creditors allow multiple payments, including patient billing accounts, and any accounts for which there is a “reasonably foreseeable risk” of identity theft to customers or the creditor, such as patient records.

Under the Red Flags Rule, a covered health care provider must develop and implement a written Identity Theft Prevention Program that enables the provider to detect, prevent and mitigate identity theft. In general, a Red Flags Program must be appropriate given the size and complexity of the institution and the scope of its activities. Entities subject to the Red Flags Rule that fail to comply with its requirements may face civil monetary penalties, as well as potentially costly long-term consent agreements.

RED FLAGS RULE CORE REQUIREMENTS

The Red Flags Rule outlines four elements that each written Identity Theft Prevention Program must contain and also includes several requirements concerning how each Program must be administered. In addition, Guidelines appended to the Red Flags Rule provide additional insights for designing and implementing a Program. While covered health care providers must consider the Guidelines in designing Red Flags Programs, they are not required to incorporate any specific suggestions.

Components of a Red Flags Program

• Red Flag Identification. A Red Flags Program must include reasonable policies and procedures to identify Red Flags (i.e., patterns, practices or specific activities that indicate the possible existence of identity theft). The Guidelines provide many suggestions for flags that may be relevant to a given entity’s operations. Many health care providers may find that Red Flags fall into three general categories: patient-raised concerns (e.g., patient reports receiving a bill for a service that he or she did not receive), internally raised concerns (e.g., provider finds that a patient’s history or physical examination is inconsistent with the patient’s record of medical treatment) and externally raised concerns (e.g., provider receives notice of suspected identity theft situation from law enforcement officials).

• Red Flag Detection. The Program must contain reasonable policies and procedures to detect Red Flags. Covered health care providers will need to be able to detect Red Flags at the time


3

new patient accounts are established, as well as flag problems affecting existing patient accounts. Ongoing detection efforts may involve routine patient identity authentication, procedures for verifying change of address requests and periodic staff surveys to determine whether any patients have presented suspicious documentation or have reported any unusual activity on their accounts.

• Red Flag Response. The Program must include reasonable policies and procedures to prevent and mitigate identity theft by responding to detected Red Flags. For example, covered health care providers may find that appropriate responses to a trigger may include monitoring a patient’s account and medical records for evidence of identity theft, contacting the affected patient to investigate the matter or notifying law enforcement officials.

• Program Update. The Program must contain reasonable policies and procedures to ensure that it is updated periodically to reflect changes in risks to patients from identity theft. This will typically involve reassessing the health care provider’s list of Red Flags, learning from any experiences with identity theft, reevaluating methods for detecting triggers, and updating staff training materials, among other activities.

Highlights of Red Flags Program Administration Requirements

• Leadership Role. The FTC envisions that an entity’s board of directors (or other leaders) will play an ongoing role in Red Flags Rule compliance efforts. For example, each covered health care provider must secure approval of its initial written Program from its board of directors (or an appropriate board committee). In a similar vein, the Guidelines recommend, among other steps, that health care providers present an annual report to the board (or other designated senior management officials) on Red Flags compliance issues.

• Training. Covered health care providers must train relevant staff to implement the Program effectively, as necessary. Many covered health care providers may find that individuals working in admissions, billing, legal and information technology departments, for example, may need to be trained. In many cases, training modules developed for HIPAA compliance purposes may be modified for use in connection with Red Flags Rule compliance efforts.

• Service Provider Oversight. Covered health care providers must exercise appropriate and effective oversight of service provider arrangements. The Guidelines expand upon this concept, suggesting that entities ensure that any service providers engaged to perform activities in connection with one or more covered accounts implement reasonable policies and procedures


to detect, prevent and mitigate identity theft. Many covered health care providers may find that HIPAA compliance mechanisms, such as lists of entities with which they have entered into business associate agreements, provide a good starting point for service provider oversight efforts.

CONCLUSION

Identity theft is a growing problem in the health care industry. The FTC reports that roughly 5 percent of all identity theft victims have experienced medical identity theft, which occurs when someone falsely uses another person’s name or insurance information to obtain medical services or products. Recently, cases involving thefts of laptops containing patient records and the unauthorized access of patient health information by facility employees have garnered national media attention. Medical identity theft creates financial and administrative problems for health care providers and may dangerously complicate patient care.

A Red Flags Program that is a natural outgrowth of existing policies and procedures can be an effective tool for combating identity theft in the health care setting. Moreover, such a Program can be readily incorporated into an organization’s overall corporate compliance program in a relevant and appropriate manner, which will enable it to benefit from the centralized focus, resources and initiatives that characterize comprehensive compliance programs.

CONTACT INFORMATION

If you have any questions regarding this alert, the Red Flags Rule or laws concerning the privacy and security of health information more generally, please contact—

Jorge Lopez, Jr. .......................... 202.887.4128 [email protected] ..........................Washington, D.C. Jo-Ellyn Sakowitz Klein ............ 202.887.4220 [email protected] .........................Washington, D.C. Gary Thompson.......................... 202.887.4118 [email protected] ..................Washington, D.C. Anna R. Dolinsky....................... 202.887.4504 ...............adolinsky@akingump.com.....................Washington, D.C.

mailto:[email protected]






AMERICAN RECOVERY AND REINVESTMENT ACT OF 2009: STIMULUS LEGISLATION OVERHAULS AND EXPANDS THE REACH OF THE FEDERAL HIPAA REGIME GOVERNING HEALTH INFORMATION PRIVACY AND SECURITY

On February 17, 2009, President Obama signed the American Recovery and Reinvestment Act of 2009 (Recovery Act), which includes provisions making major changes to the federal health information privacy and security regime established pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This legislation substantially broadens the scope and expands the reach of requirements concerning the privacy and security of health information. These changes will have a major impact on many health sector participants, including individuals and entities currently treated as “Covered Entities” (defined as including certain health care providers, as well as health plans and health care clearinghouses) and the “Business Associates” that perform functions or services on their behalf.

Key changes to the existing HIPAA privacy and security regime enacted through the stimulus legislation include, but are not limited to, the following—

• Expanding obligations—and exposure—of Business Associates. Under existing federal law, Business Associates only need to comply with a discrete list of privacy and security obligations that can be enforced by the Covered Entity through contract. Not only has this list of obligations expanded, but in a sea change for Business Associates, the Recovery Act creates direct, statutory obligations for Business Associates. The stakes are high, as the Recovery Act applies civil and criminal penalties to Business Associates.

• Establishing a federal breach notification requirement. While many states have adopted security breach notification laws, existing federal law does not require notice of data breaches involving protected health information (PHI). The Recovery Act establishes an

February 20, 2009


2

expansive protocol for providing notice in the event that an individual’s unsecured PHI has been (or is reasonably believed to have been) accessed, acquired or disclosed as a result of a data breach. This new federal regime is more prescriptive and onerous than data breach notification laws presently in place in many states. For example, the legislation goes so far as to require that in addition to notifying individuals, both the Secretary of the U.S. Department of Health and Human Services (Secretary) and prominent local media outlets must be notified of data breaches under certain circumstances.

• Calling for refinement of the “minimum necessary” standard. Covered Entities are presently required to use, disclose and request only the “minimum necessary” PHI in many situations. The Recovery Act calls for new regulations on what constitutes “minimum necessary” for purposes of the HIPAA privacy provisions, and establishes a transitional standard that will remain in effect until the Secretary issues the required guidance.

• Expanding the types of disclosures subject to accounting requirements. Individuals currently have the right to receive an accounting of disclosures of their PHI made by a Covered Entity in the past six years, with certain exceptions. One important exception is for disclosures to carry out treatment, payment and health care operations. The Recovery Act eliminates this exception for Covered Entities using electronic health records. The legislation requires such Covered Entities to account for these types of disclosures, to the extent they are made through an electronic health record, for the three years preceding the date of the accounting request.

• Limiting the sale of protected health information. Existing privacy regulations do not provide extensive guidance concerning situations in which the sale of PHI would be prohibited without authorization. The Recovery Act expressly prohibits Covered Entities and Business Associates from directly or indirectly receiving remuneration in exchange for PHI without the individual’s authorization, subject to several exceptions. Specifically, the legislation carves out exceptions for public health activities, treatment, the merger or acquisition of the Covered Entity, research (if remuneration is limited to the cost of preparation and transmittal of data) and certain Business Associate functions, as well as for the purpose of allowing individuals to copy their PHI when exercising their access rights. The legislation allows the Secretary to create additional exceptions that are similarly necessary and appropriate.

• Restricting marketing communications. HIPAA regulations currently carve out commercial communications related to treatment and certain health care operations from the definition of “marketing,” thus allowing these communications to be conducted without authorization from the individual. The Recovery Act adds a new degree of complexity to


3

the marketing analysis, further limiting the situations in which such communications may be made without authorization. The legislation does not, however, affect communications made for treatment purposes.

• Fine-tuning requirements concerning fundraising activities. Currently, Covered Entities may use and make limited disclosures of a restricted set of PHI for their own fundraising purposes, without authorization, provided that any fundraising materials sent to an individual expressly describe how the individual may opt out of receiving further fundraising communications. While Congress considered changes that would have required authorization for all uses and disclosures of PHI for fundraising purposes, the Recovery Act, in its final form, instead only clarifies the existing regime. Specifically, the Recovery Act calls for regulations requiring that written fundraising communications provide, in a clear and conspicuous manner, an opportunity for the recipient of the communication to elect not to receive any further such communications. The Recovery Act also provides that an individual’s exercise of the opt-out right will be treated as a revocation of authorization.

• Enhancing penalties and strengthening enforcement of privacy and security requirements. HIPAA enforcement efforts to date have been weak, with far fewer Covered Entities being penalized for compliance lapses than anticipated. The Recovery Act takes numerous steps to reverse this trend, including allowing state attorneys general to file suit on behalf of their residents for violations of HIPAA, requiring the Secretary to conduct audits of Covered Entities and Business Associates to ensure compliance with privacy and security requirements, calling for a mechanism to allow individuals harmed by a privacy or security violation to receive a percentage of any civil monetary penalties or settlement amounts collected in connection with the offense, clarifying that criminal penalties established by HIPAA may apply to employees of a Covered Entity or Business Associate, and creating a tiered civil monetary penalty system based on the level of intent or neglect (with penalties ranging from $100 to $50,000 for each individual violation, subject to various caps).

• Contemplating expanding the HIPAA regime to apply privacy and security standards to additional types of entities. Existing law focuses primarily on health care providers, health plans and health care clearinghouses, bringing certain service providers into the fold through the Business Associate contracts. The Recovery Act looks beyond Covered Entities and Business Associates. Specifically, the legislation requires the Secretary, in consultation with the Federal Trade Commission, to study and report on the extent to which privacy and security requirements should apply to entities that are not currently considered Covered Entities or Business Associates, including vendors of personal health records and other such entities.


Many stakeholders in the health care industry are still grappling with HIPAA’s already arduous rules, and fear that adding a fresh layer of complexity through statutory changes and new rulemakings could negate some of the positive benefits of health information technology (HIT) adoption. Covered Entities and Business Associates will need to devote time and resources to bringing their operations into compliance with the new privacy and security regime. All Business Associate agreements will need to be amended, policies and procedures will need to be created or updated, and current patterns of use and disclosure will need to be reassessed to ensure compliance. The landscape is likely to continue shifting as the Secretary develops and implements the myriad regulations permitted or required by the law.

CONTACT INFORMATION

If you have any questions regarding the implications of the privacy and security provisions of the Recovery Act for your business, please contact—

Jorge Lopez, Jr. .............................. [email protected] ..................... 202.887.4128 ...............Washington, D.C. Jo-Ellyn Sakowitz Klein ............... [email protected] .................... 202.887.4220 ..............Washington, D.C. Kelly Maxwell ............................... [email protected] ................ 202.887.4385 ...............Washington, D.C. Kelly Cleary ................................... [email protected] .................... 202.887.4329 ...............Washington, D.C.





Corporate CounselThe Metropo l i tan

Volume 17, No. 10 © 2009 The Metropolitan Corporate Counsel, Inc. October 2009

®

The Department of Health and HumanServices (HHS) and the Federal TradeCommission (FTC) recently issued sig-nificant regulations implementing provi-sions of the Health InformationTechnology for Economic and ClinicalHealth (HITECH) Act, passed as part ofthe American Recovery and Reinvest-ment Act of 2009 (ARRA). HHS pub-lished its much-anticipated breachnotification rule on August 24, 2009.These new regulations, to be codified at45 C.F.R. Part 164, Subpart D, apply tohospitals, health plans, health care clear-inghouses and other covered entitiesunder the Health Insurance Portabilityand Accountability Act of 1996 (HIPAA)as well as to their business associates.Stakeholders are invited to comment onthe HHS rule, which was issued as aninterim final regulation, and commentsare due on or before October 23, 2009.The FTC published a separate healthbreach notification final rule governingvendors of personal health records(PHRs) and certain PHR related entitieson August 25, 2009, to be codified at 16C.F.R. Part 318, which followed a pro-

posed rule that was published on April20, 2009.

The HHS rule becomes effective onSeptember 23, 2009, and the FTC rulebecomes effective September 24, 2009.Acknowledging that it will take time forentities to develop and implement theprocedures needed to comply with theseregulations, both agencies agreed torefrain from imposing sanctions for fail-ure to provide required notifications forbreaches discovered before February 22,2010.

Notwithstanding this enforcementdelay, affected entities should takeprompt action to come into compliance.HHS clarified that entities are expected tobe in compliance beginning on Septem-ber 23, 2009, and noted that the agencywould work with entities, through techni-cal assistance and voluntary correctiveaction, to achieve compliance. Notably,covered entities are required to submitbreach notification logs to HHS on anannual basis, and these logs must containinformation on breaches occurring on orafter September 23, 2009. The FTC simi-larly noted that regulated entities areexpected to come into full complianceduring the enforcement hiatus and thatannual logs due to the FTC must includeinformation for breaches occurring afterthe effective date of the regulation.

This article provides an overview ofthe relevant statutory requirements, high-lights key provisions of the HHS andFTC breach notification regulations andpresents some ideas for steps affectedentities may want to take as they moveforward with their compliance efforts.

HHS Rule: Breach Notification ForUnsecured Protected Health

Information

Overview of the Statutory RequirementsARRA establishes an expansive proto-

col for providing notice in the event thatan individual’s unsecured protected healthinformation (PHI) has been (or is reason-ably believed to have been) accessed,acquired or disclosed as a result of abreach. The statutory regime is more pre-scriptive and onerous than data breachnotification laws presently in place inmany states. Depending on the circum-stances, breach notification must be pro-vided to individuals, HHS and/or themedia.

For the purposes of the statute, abreach is defined as the unauthorizedacquisition, access, use or disclosure ofPHI that compromises the security or pri-vacy of such information, subject to threerather narrow exceptions: (1) uninten-tional acquisition, access or use of PHI byan employee or individual acting underthe authority of a covered entity or busi-ness associate, provided that the acquisi-tion, access or use was made in goodfaith, within the course and scope ofemployment (or other professional rela-tionship), and does not result in furtheruse or disclosure; (2) inadvertent disclo-sure from an individual who is otherwiseauthorized to access PHI at a facility toanother similarly situated individual at thesame facility, provided that the informa-tion is not further used or disclosed; and(3) situations where the recipient of theinformation would not reasonably be ableto retain the information. The statute alsocreates a safe harbor for breaches involv-

Expansive New HHS And FTC Regulations Require Entities To Provide Notice Of Data BreachesInvolving Health Information

www.metrocorpcounsel.com

Please email the author at [email protected] with questions about this article.

Jo-Ellyn Sakowitz Klein

AKIN GUMP STRAUSS HAUER &FELD LLP

Jo-Ellyn Sakowitz Klein is Counsel inthe Washington, DC office of Akin GumpStrauss Hauer & Feld LLP. Her practiceis devoted to regulatory, transactionaland legislative matters affecting thehealth industry.


well as for covered entities. Businessassociates that discover breaches mustnotify the covered entity of the situation.These notices must identify each individ-ual whose unsecured PHI has been (or isreasonably believed by the business asso-ciate to have been) accessed, acquired ordisclosed during the breach. Notably, thestatute applies the same 60-day standardto business associates as it applies to cov-ered entities.Highlights of the HHS BreachNotification Rule

Through its rulemaking, HHS madeseveral important clarifications to thestatutory breach notification require-ments, and also updated its guidance pub-lished on April 27, 2009, specifying thetechnologies and methodologies that ren-der PHI unusable, unreadable or indeci-pherable to unauthorized individuals.Highlights include

• Harm threshold and risk assess-ment. HHS established a harm threshold,which allows covered entities and busi-ness associates to forego notification ifthey determine an incident poses little orno risk of harm to the individual whosePHI was involved (i.e., in terms of thedefinition of breach, the incident did notcompromise the security or privacy of theinformation). Under this standard, a cov-ered entity or business associate wouldneed to perform a risk assessment todetermine whether an unauthorizedacquisition, access, use or disclosureposes a significant risk of financial, repu-tational or other harm to the individual.HHS described several factors that cov-ered entities and business associatesshould consider in their risk assessments,including considering who received thePHI (e.g., a hacker versus another cov-ered entity); any mitigation efforts thatmay reduce the likelihood of harm;whether the PHI (or media storing thePHI) was returned prior to access or use;and the nature of the PHI disclosed. HHSemphasized that risk assessments shouldbe fact-specific and must be documented.

• Updates to guidance specifyinghow to render PHI secure. UnderARRA, breach notification is onlyrequired in situations where the PHI sub-ject to the breach is “unsecured.” In thisrule, HHS updated its April 27, 2009,guidance addressing the technologies andmethodologies that render PHI secure.Although HHS considered suggestions asto alternate technologies that would ren-

ing PHI that has been secured through theuse of certain technologies and method-ologies HHS has identified as renderingPHI unusable, unreadable or indecipher-able to unauthorized individuals.

The statute prescribes the timing,manner and content for the requirednotices in remarkable detail. For exam-ple, notice must be sent to individuals –without unreasonable delay and in nocase later than 60 calendar days after dis-covery of a breach, via first-class mail(or, if specified as a preference by theindividual, by e-mail) – and must contain,to the extent possible: (1) a brief descrip-tion of what happened, including whenthe breach happened and when it was dis-covered; (2) a description of the types ofPHI that were compromised (e.g., fullname, Social Security number, date ofbirth, home address, account number ordisability code); (3) the steps individualsshould take to protect themselves frompotential harm relating to the breach; (4)a brief description of what the coveredentity is doing to investigate the breach,mitigate the harm and prevent futurebreaches; and (5) a toll-free number, e-mail address, Web site or postal addressindividuals can use to obtain additionalinformation. The statute continues todescribe rather elaborate substitute noticeprocedures that must be followed wherethe required notice cannot be furnishedbecause contact information available forthe affected individual is insufficient orout-of-date. The statute further specifiesthat in any case deemed by the coveredentity to require urgency (e.g., due toimminent misuse of the PHI involved),the covered entity may contact theaffected individuals by telephone or othermeans, as appropriate, but must still pro-vide the required written notice.

Moreover, the statute dictates that forbreaches involving 500 or more individu-als, the covered entity must notify HHSimmediately. And, where the breachinvolves more than 500 residents of astate or jurisdiction, the covered entitymust notify prominent media outletsserving the state or jurisdiction, withinthe same timeframe that it notifies indi-viduals. For breaches involving fewerthan 500 individuals, covered entitiesmust maintain a log of such breaches andsubmit this log to HHS annually.

The statute contains mandates forbusiness associates (such as billing ser-vices or third party administrators) as

der PHI secure, the agency decided thatencryption and destruction remain theonly two technologies or methodologiesthat it will recognize as valid ways ofremoving records from the realm of“unsecured” PHI. HHS explicitly rejectedredaction as an acceptable alternative tosecure paper-based PHI. Under ARRA,HHS must update this guidance annually,and the first annual update will be issuedin April 2010.

• Refinements to exceptions. HHSmade important modifications to therather narrowly worded statutory excep-tions to what types of uses and disclo-sures constitute a breach. The exceptionsnow arguably encompass more situationswhere a use or disclosure was truly acci-dental, occurred internally or presents rel-atively little risk of harm. The exceptionfor unintentional access by an employeeof a covered entity or business associatehas been expanded to include all work-force members, not just employees. Theexception for inadvertent disclosuresamong similarly situated employees hasbeen construed to cover inadvertent dis-closures made by an authorized personwithin a covered entity or business asso-ciate to another similarly authorized per-son within the same covered entity,business associate or organized healthcare arrangement (OHCA) – even wherethe disclosure crosses state lines becausethe entity has multiple locations acrossthe country. Finally, HHS clarified thatbreach notification is not required wherethe covered entity or business associatebelieves in good faith that the unautho-rized recipient of the PHI would not rea-sonably have been able to retain theinformation. Covered entities and busi-ness associates seeking to take advantageof these exceptions must document theiranalyses.

• Breaches involving limited datasets. HHS declined to treat limited datasets (as defined in the relevant regula-tions) as secured for purposes of the safeharbor, but provided a narrow exceptionfor unauthorized uses or disclosuresinvolving limited data sets from whichcertain additional data elements havebeen excluded. If the information used ordisclosed without authorization consti-tutes a limited data set, and the informa-tion also does not include the individual’sdate of birth or zip code, then the PHI isnot considered compromised for breachnotification purposes. By contrast, if thedate of birth and zip code identifiers are


included in the limited data set, the cov-ered entity or business associate wouldstill have to undertake a risk assessmentthat would include an analysis of whetherthe data set could be used to identify theindividual.

• When breaches are treated as dis-covered. Affected entities will need to actpromptly when faced with a breach, asnotices to individuals must be providedwithout unreasonable delay and in nocase later than 60 calendar days follow-ing discovery of the breach. HHS speci-fied that breaches will be treated asdiscovered on the first day the breach isknown to the covered entity or businessassociate or, by exercising reasonablediligence, would have been known to thecovered entity or business associate. Sig-nificantly, under the rule, an entity isdeemed to have discovered the breachwhen any member of its workforce or anagent (other than the person committingthe breach) first learns of the breach or,by exercising reasonable diligence,would have known of the breach. Accord-ingly, it will be vital for institutions tohave appropriate internal reporting sys-tems in place, as well as clear lines ofcommunication established with any out-side agents. The rule also clarifies that the60-day period begins when the incident isfirst known, not when the investigation ofan incident is complete – thus, the 60-dayperiod begins to run even if it is initiallyunclear whether the incident constitutes abreach as defined by the rule.

• Requirements for business associ-ates. Following discovery of a breach, abusiness associate is required to notifythe covered entity of the breach so thatthe covered entity can provide requirednotices. The rule clarifies that, for busi-ness associates that maintain PHI onbehalf of more than one covered entity, itis only necessary to notify the coveredentity to which the PHI relates. The rulealso builds upon the statutory require-ments to require that business associates,in addition to identifying the individualswhose PHI was involved in the breach,also provide a covered entity with anyother available information that the cov-ered entity is required to include in itsnotification.

Rule: Health Breach Notification ForPHR Vendors and PHR-Related

Entities

Overview of the Statutory RequirementsARRA requires vendors of PHRs and

certain PHR related entities to notify theircustomers following discovery of abreach of security of unsecured PHRidentifiable health information that is in aPHR. ARRA specifies that failure bythese entities to provide required noticeswill be treated as an unfair and deceptiveact or practice in violation of the FederalTrade Commission Act.

ARRA elaborates on the meaning of abreach of security, specifying that thebreach notification requirements will betriggered by the unauthorized acquisitionof unsecured PHR identifiable healthinformation of an individual in a PHR.The statute further provides that PHRidentifiable health information is definedas individually identifiable health infor-mation (as defined by relevant regula-tions) that is provided by or on behalf ofthe individual and that identifies the indi-vidual (or can be used to identify the indi-vidual). A PHR – unlike an electronichealth record (EHR), which is generallycreated and used by health care providers– is an electronic health record that can bedrawn from multiple sources and is man-aged, shared and controlled by or primar-ily for the individual.

The ARRA provisions concerningbreaches involving PHRs generally mir-ror those prescribed for PHI, in terms ofthe timeliness, methods and content ofthe notification. For instance, upon dis-covery of a breach, a PHR vendor or PHRrelated entity is required to notify eachindividual whose unsecured PHR identi-fiable health information was subject tothe breach, and must maintain a log of allsuch breaches for annual submission tothe FTC. Also, like the provisions con-cerning PHI, for breaches involving 500or more individuals, PHR vendors andPHR related entities must provide noticeto prominent media outlets and to theFTC. The FTC, in turn, is required to alertthe Secretary of HHS. Third party serviceproviders have responsibilities similar tothose assigned to HIPAA business associ-ates and are required to notify the PHRvendor or PHR related entity of thebreach. And, as with breaches involvingPHI, notices are generally required to befurnished without unreasonable delay andin no case later than 60 days followingdiscovery of the breach.

The breach notification provisionscovering PHRs were intended to serve asa temporary fix to address a gap existingbecause PHR vendors and PHR related

entities are generally not subject toHIPAA. ARRA directs the FTC to workwith HHS to report to Congress by Feb-ruary 17, 2010, on potential privacy,security and data breach notificationrequirements for entities not currentlysubject to HIPAA. ARRA also providesthat the breach notification requirementsapplicable in the PHR realm will sunset ifCongress enacts new legislation estab-lishing notice requirements that wouldapply to PHR vendors and related entitiessustaining a breach of security. Highlights of the FTC BreachNotification Rule

The FTC’s final health breach notifi-cation rule expands on the statutoryrequirements and responds to commentsreceived on the proposed rule. The FTCfollows the HHS guidance on when datais considered secured, so that issue is notaddressed in a material fashion in theFTC rule. Highlights of the FTC breachnotification rule include –

• Clarification of the types of enti-ties to which the FTC rule applies. TheFTC rule clarifies that it primarily appliesto two categories of entities: PHR ven-dors and PHR related entities. PHR ven-dors offer or maintain PHRs. PHR relatedentities offer products or services throughthe Web site of a PHR vendor, offer prod-ucts or services through the Web sites ofHIPAA-covered entities that offer indi-vidual PHRs, or access information in, orsend information to, a PHR. Notably, anentity that advertises on a PHR vendorWeb site may be subject to the FTC ruleif it collects information through the Website, for example if it offers a searchengine that tracks customers’ IPaddresses or previous searches.

• Obligations of third party serviceproviders. Third party service providers– the FTC analog to business associates –are individuals or entities that furnish ser-vices either to PHR vendors in connec-tion with the offering or maintenance ofPHRs, or to PHR related entities in con-nection with a product or service offeredby that entity, and that access, maintain,retain, modify, record, store, destroy orotherwise hold, use or disclose unsecuredPHR identifiable information as a resultof such services. The FTC builds on thestatute to specify that these entities mustprovide breach notifications to an officialdesignated – in a written contract by thePHR vendor or PHR related entity – toreceive such notices. If no official is so


designated, notice must be furnished to asenior official of the entity, and receipt ofthe notice must be acknowledged.

• Rebuttable presumption. One keydistinction between the FTC and HHSrules is that the FTC rejected HHS’ harmthreshold for determining whether pri-vacy or security has been compromisedas a result of a breach. The FTC doesafford regulated entities a degree of flex-ibility by building a rebuttable presump-tion into the definition of what constitutesa breach. The FTC rule provides that abreach of security means – with respect tounsecured PHR identifiable health infor-mation of an individual in a PHR – acqui-sition of such information without theauthorization of the individual. Unautho-rized acquisition will be presumed wherethere is unauthorized access to unsecuredPHR identifiable information, unless thePHR vendor, PHR related entity or thirdparty service provider that experiencedthe breach has reliable evidence demon-strating that there has not been (or couldnot reasonably have been) unauthorizedacquisition of the information.

• Exception for inadvertent accessby employees. The FTC noted that incases of inadvertent access by anemployee, breach notification is notrequired if the employee follows com-pany policies by reporting such access tohis or her supervisor and affirming that heor she did not read or share the data. Thecompany must also conduct a reasonableinvestigation to corroborate theemployee’s version of events.

• No reasonable basis to identifyindividuals. The FTC declined to treatlimited data sets as having been removedfrom the realm of PHR identifiable infor-mation, but instead noted that breachnotification may not be required where anentity can demonstrate that there is noreasonable basis to identify individualswhose data has been breached.

• When breaches are treated as dis-covered. The FTC shared HHS’ approachto when breaches should be treated as dis-covered. Breaches will be treated as dis-covered on the first day on which thebreach is known (or reasonably shouldhave been known) to the PHR vendor,PHR related entity or third party serviceprovider, and an entity will be deemed tohave knowledge of a breach if the breach

is known (or reasonably should havebeen known) to any person – other thanthe person committing the breach – whois an employee, officer or other agent ofthe entity.

• Guiding principles. The FTCexpressed several themes in the preambleto the final rule, including that consumersshould generally receive a single breachnotice for a single incident, and thatnotice should come from the entity withwhich the consumer has a direct relation-ship (rather than from an entity that hasbeen invisible to the consumer). The FTCalso provided some insights as to when ause or disclosure of information con-tained in a PHR would be consideredunauthorized, which is somewhat morecomplicated in the PHR context than inthe PHI context, because no regulationsexist dictating when authorization for useor disclosure of PHR identifiable healthinformation is required.

• Scope of the FTC’s authority andjurisdiction. The FTC explained that itsenforcement power relating to the databreach notification rule extends to non-profit entities, as well as to foreign enti-ties that maintain information on U.S.citizens or residents.

Coming Into ComplianceThe fact that neither HHS nor FTC

plans to impose sanctions with respect tobreaches discovered before February 22,2010, should not deter affected entitiesfrom taking prompt action to addressthese new federal regulatory require-ments. HHS and FTC both seem increas-ingly committed to enforcing privacy andsecurity regulations in the health carecontext. Since the change in administra-tion, we have seen the FTC settle chargesagainst retail pharmacy chain CVS Care-mark for failing to secure sensitive cus-tomer medical information appropriately,and announce its intent to enforce its anti-identity theft rule – the Red Flags Rule –in the health sector. Similarly, in recentmonths, HHS has consolidated authorityfor enforcing security as well as privacyregulations within its Office for CivilRights (OCR) and solicited applicationsfor several newly created OCR enforce-ment positions.

As a first step, entities should evaluatewhether they are subject to the HHS rule,

the FTC rule or, perhaps, to both rules. Itis quite clear that the HHS rule appliesonly to HIPAA-covered entities and busi-ness associates. Less clear, however, iswhen the FTC rule will come into play.The FTC rule provides that it will notapply to “HIPAA-covered entities, or toany other entity to the extent that itengages in activities as a business associ-ate of a HIPAA-covered entity” (empha-sis added). Indeed, the regulatorsrecognized that some entities may be sub-ject to both rules, as when, for example, abusiness associate of a HIPAA-coveredentity also offers PHRs directly to thepublic.

Next steps for affected entities couldinclude updating policies and proceduresto incorporate the breach notificationresponsibilities, and training all work-force members accordingly. Affectedentities should also develop and dissemi-nate internal policies designed to encour-age workforce members to reportsuspected breaches immediately throughestablished internal channels, so theentity can make a prompt decision abouthow to respond. Affected entities mayalso find it helpful to prepare a notifica-tion template to use in the event of abreach, which should take both federaland state breach notification laws intoaccount. Affected entities should alsoreview their business associate and ser-vice provider agreements to evaluate theextent to which amendments are neededin light of the new notification obliga-tions.

In addition, affected entities shouldconsider commenting on the HHS breachnotification rule. While the regulationsseem rather exhaustive, there are someareas where additional agency input maybe needed. For example, while HHS clar-ified that a HIPAA privacy violation isnecessary, but not sufficient, to trigger thebreach notification requirements, agencyguidance may be helpful concerningwhether entities reporting breaches toHHS as required by law will have to bearthe full brunt of penalties for underlyingHIPAA violations revealed, among otherissues. As noted above, the commentperiod remains open until October 23,2009.



FTC DELAYS ENFORCEMENT OF IDENTITY THEFT PREVENTION REGULATIONS UNTIL NOVEMBER 1, 2009

The Federal Trade Commission (FTC) announced on July 29, 2009, that it would again delay enforcement of its anti-identity theft regulation, commonly known as the “Red Flags Rule,” until November 1, 2009. The Red Flags Rule, promulgated by the FTC pursuant to the Fair and Accurate Credit Transactions (FACT) Act of 2003, is aimed at preventing identity theft. It requires “creditors” and financial institutions with “covered accounts”—including many health care providers—to implement programs to identify, detect and respond to the warning signs that could indicate identity theft. This recent delay represents the third time that the FTC has postponed enforcement of the Red Flags Rule.

The FTC stated in a press release that it delayed the August 1, 2009, deadline so that it could redouble its efforts to educate small businesses and other entities on compliance with the Red Flags Rule. The FTC further noted that it intends to ease the burden of compliance by providing additional resources and guidance to clarify whether businesses are covered by the Red Flags Rule and what they must do to comply. The FTC also promised to offer guidance specifically for small and low-risk entities through the Red Flags Rule Web site, www.ftc.gov/redflagsrule. The FTC has already posted some guidance (in the form of FAQs), which is available at www.ftc.gov/bcp/edu/microsites/redflagsrule/faqs.shtm.

Critics from various industries, including the health sector, have voiced concerns over the FTC’s approach to the Red Flags Rule, and they have some allies in Congress. For example, the American Medical Association has objected to the FTC’s position that physicians may be “creditors” that are subject to the Red Flags Rule.

August 3, 2009

http://www.ftc.gov/redflagsrule

http://www.ftc.gov/bcp/edu/microsites/redflagsrule/faqs.shtm


The American Bar Association has threatened to file a lawsuit against the FTC unless the agency exempts attorneys from compliance with the Red Flags Rule. The House Appropriations Committee recently requested that the FTC defer enforcement as well as make additional efforts to minimize the burdens of the Red Flags Rule on health care providers and small businesses with a low risk of identity theft problems. In April 2009, the chair of the House Small Business Committee similarly urged the FTC to delay enforcement and to analyze the burden of the Red Flags Rule on health care professionals.

CONTACT INFORMATION

If you have any questions regarding the implications of the privacy and security provisions of the Recovery Act for your business, please contact—

Jorge Lopez, Jr. ........................... [email protected].......................... 202.887.4128 ............ Washington, D.C.

Jo-Ellyn Sakowitz Klein ............. [email protected]......................... 202.887.4220 ............ Washington, D.C.

Kelly Cleary................................ [email protected]........................ 202.887.4329 ............ Washington, D.C.

Anna R. Dolinsky ....................... [email protected] .................... 202.887.4504 ............ Washington, D.C.





Documents

Healthcare Providers and Social Networking: New Threat to ...media.straffordpub.com/products/healthcare... · 10/22/2009 · These risks, if realized, can evidence HIPAA security